Making Privacy Great Again (?) – The Blackphone Story – Part 4 – There’s a Snake in My Boot

Blackphone as an allegory to why the bad guys are winning, a step-by-step guide to unlocking your device, and to whom you should say “you’re welcome!”.

By Eh’den Biber

First of all, my apologies for the delay in writing. It was totally unintended, but life, as you all know, have a comic view of our perception that we are in control of it. We are funny.

So, back to the Blackphone. I must admit that I’m surprised with what I learned. It’s so true that until we experience something as a personal experience knowing about facts that are related to that experience are meaningless. A total colour-blindness, non-ability to grasp the vast spectrum of radiation most of us can do naturally.

But before we begin with the boot story, let me just highlight a surprising point – if you wanted a proof that no one cares about security, INCLUDING security people, take a look at the vast security reviews that were performed so far on the phone. I know, nothing out there.

I mean, if I can buy two units of the phone, I’m sure security researchers would have been able to do so. This was the first true attempt to provide a phone which will be secure AND not locked like the apple products are. I took the time to review it, but real businesses seem to had no interest whatsoever in it, hence the financial situation that followed the release of the phone. This is REALY BAD because do you know who did buy the phone? State actors and cyber criminals, what we call “bad guys” these people did it because they are trying to find weakness points, and we who are their target act like spoiled fat rich people who were born to a wealthy father and who think that our perception of reality is the greatest. #MakeAmericaGreatAgain.

We, who live in democracies are supposed to have an impact on our future, but at the end of the day the market is what counts. Take for example Google, the company who know about mother’s children more than they do, a company that in its IPO wrote the following words:

“We encourage our employees, in addition to their regular projects, to spend 20% of their time working on what they think will most benefit Google,” they wrote. “This empowers them to be more creative and innovative. Many of our significant advances have happened in this manner.”

Business insider wrote a piece on it two years ago. Seems that the 20% were 150% (normal Google hours) + 20%. The point is that there is a HUGE gap between what we need to do in order to be ahead of the cyber-gap, and what our organisation is allowing us to do which is to reach targets, and anything beyond it is considered as “extra”. Total lack of understanding to the nature of evolution.

OK, enough about politics.

The android edition behind the Blackphone 2 is called “Silent OS”, which is supposed to be a more secure variant of the android code, but like all Android devices it is heavily dependent on the boot process. If you are unfamiliar with that concept, when you start your mobile phone it first boots up a basic set of commands which allows it to load what is called in the android world aboot. Think of the aboot as your computer BIOS. Linux and android people, don’t kill me, I’m trying to use language that is understood to people who have been exposed to the PC universe. You know, the ones my kids call “Old people” (me included). At this point the aboot is loading the kernel, initialise hardware and allows you to run the operating system. Whatever runs between the time you start your machine and until you get a prompt is similar to what is happening in all other OS, and the boot is what makes it all happen.

So, let’s talk about the boot, and the security around it. The people in google didn’t planned a bad OS. They tried to do best practices, such as allowing only the deployment of signed code into specific elements that are trusted. In the normal situation, you should only be allowed to program/write to a partition of an android device with elements that either been signed with a key it recognises or were instructed to install elements with a code that’s been signed. Why? Because at this level you are controlling a lot of the hardware elements of your phone, and while most people don’t think about it their mobile phone has to do a lot of things and consider a lot of elements and to do a lot of things that it had been programmed into doing. Such as changing the rate of charging your battery for example. It means that someone can write a malicious code that will allow me to play around with the charging of the system. Best case scenario for such a code is to cause your battery to lose the capability to charge. Worst case? Think about a lithium battery that is overheated and you get the answer – a mini bomb, or as Samsung called it – “Note”. This is why unlocking a device means voiding your warranty. We would like to think it’s because of security, but that’s only our delusion.

Now if you are smart you know that you can most likely prevent such thing from happening by either engraving it in your hardware, but unless you are apple it is extremely hard to control your production line. See what happened to Samsung and remember the antenna problems iPhone at some point had. In any case, the whole idea behind the android OS is to allow anyone to use the code so that google will be able to spy, sorry, gather information people voluntarily agreed into giving.

This means that if you want to do any changes to different elements you must first perform an OEM unlocking, which allows you to flash some elements such as the recovery and the boot. There are endless guides to do so, but in case you want to express guide here it is:

Start the device

Go into settings, then “about phone”

Scroll down to “build number” and click on it multiple times until you are being given access to what is known as “developer options”. Get out of the “about phone” sub-menu and enter the developer options menu

If you’re lucky your phone manufacturer allows you to do so just by moving a switch. Enable unlocking.

After enabling the possibility of OEM unlocking, the next step is to perform a real unlock. To do so, you must download a piece of software from google that allows you to perform it. It’s called “platform-tools-latest-windows.zip”. Extract the files to a directory and get a command line in it.

Time to shut down the phone – use normal shut down but make sure it is not connected to a charger or a computer.

Now you need to put the phone in fastboot mode, which is achieved by pressing the volume down and while it being pressed press the power button. When the screen shows you “android” you can leave the keys and connect your phone to the computer.

In the case of windows 10, no drivers are required to be manually installed, but most likely there are downloaded. In some other OS, you might need to install manually the drivers.

type “fastboot devices” and you should see your device serial number.

To unlock at this stage, you need to write the following command: “fastboot unlock oem-go”. This will result in a loss of your data while the phone will go into a factory reset process. In most cases the aboot partition will be altered and from this moment on you will not be able to lock back your device.

Oh, by the way, congratulations, you just lost your warranty, time to watch a video of a sad kitty cat.

Sadness is over, let’s go back to business.

The reason we unlocked the bootloader is because by doing so it allows you to “flash” (or program) the boot and the recovery images without the system validating the certificate that signed the code (if any). You can also do other elements such as write and update your wifi and WLAN modem firmware. And totally mess up your phone in a way it will never wake up.

The boot and recovery images that were available on the internet when I bought it were of version 3.0.7of the SilentOS – the last OS update before Silent Circle started to lure grey market devices owners to turn their devices into a demo unit. The boot images and the recovery images are usually compressed and there are multiple ways of unpacking them. I’ve used a tool called Carliv Image Kitchen to perform the task.

You remember the recovery partition? Now this lovely partition can be populated with a custom recovery image, also known as TWRP. This custom recovery allows you to perform extended activities such as backup of your device, file access to your system, installation of root (YES) and many more which you will soon find out. The good news was that there was a TWRP for the blackphone 2, the bad news (for me) was that my device didn’t really worked with it, and it booted up with a blank screen. When connected to my computer I was able to see it is working but was unable to enable the screen. To solve this problem, I tried to find a way to unpack and change the TWRP recovery image so it will work. The boot images and the recovery images are usually compressed and there are multiple ways of unpacking them. I’ve used a tool called Carliv Image Kitchen to perform the task. If you remember, I already had a device which seems to be using very similar hardware (the M5.5), so I’ve used the TWRP recovery image of this device, replaced the kernel with the Blackphone 2 kernel, and it was almost perfect. Now when I booted the device into the recovery mode TWRP was working.

Next thing was to root. I must admit that when I got the device it was not working with the most common root solution, a product called SuperSU by chainfire, which didn’t work. Luckily for me, there were other solutions, one of which is Magisk. Magisk is a systemless root solution. OK, let me explain what that means.

In the past, Google sort-of-allowed root solutions to live happily ever after on the system partition. This is not the case anymore, which led developers to load the root related files during the boot process. To do so, the systemless installer is patching the boot partition by inserting the required executables and assigning the right permissions to it before the system partition is being loaded.

So… that’s the easy part. To install the Magisk root you need to:

boot into recovery

press install

scroll to the external sd card where you stored the magisk.zip file

select; and

install

That’s it. You’re almost there. When you will start your Blackphone it will scream at you that it detected an active root, so don’t forget to say to the OS … “you welcome”.

The much, MUCH more interesting part for me was to try to figure out the boot process with reading about it as little as possible. I was taking the M5.5 boot partition as well as other phones, and using a program called winmerge I compared the loading scripts of the two phones, which again, had almost identical hardware.

The most interesting element I found is the fact that the way the Blackphone was using the mobile and wifi modem code were very different than other phones. Normally, there are bunch of services that are being loaded during the boot process, and that are related to the mobile chipset provider (in this case, Qualcomm). Not in the Blackphone, the Blackphone seems to be delaying the whole process to a later stage, most likely to provide its CIDS, what Silent Circle calls “Cellular Intrusion Detection System”. As mentioned before, there is another element which I’m not sure how Silent Circle handled and that’s the extensive rights the modem firmware usually have. It’s hard to know, and frankly, this should have been answered in a CON by a person who was requested to perform an analysis of the phone.

I think I will stop now. I wish to share with you some very practical advice on what you can do in order to be secure, and all of you can achieve it with an unlocked device and a little bit of root. Also, in the next post I will defend the right to root and why having a rooted device does not mean automatically that it is less secure than a non-rooted device.